Event Details

OWASP Göteborg is happy to announce that security expert Mario Heiderich will make a presentation about the history of XSS and another presentation about mXSS. The event will be held in English.

It will be an evening when we all can learn about the new threat mXSS, what can we do to protect us? We want to thank our sponsor Chalmers for the food, drinks and venue. The seats are limited so please make sure to book your seat today!

Mario Heiderich is founder of the German/UK pen-test outfit Cure53 and a Microsoft security contractor. He focuses on HTML5, SVG security, script-less attacks and believes XSS can be eradicated by using JavaScript. Maybe. Some day. Actually quite soon. Mario invoked the HTML5 security cheat-sheet, the Alexa Top 1x search engine Crawly and several other projects. In the remaining time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things. Mario has spoken on a large variety of international conferences - both academic and industry-focused, co-authored two books, several academic papers and doesn't see a problem in his one year old son having a tablet already. There you have it.

Abstracts:

The InnerHTML Apocalypse - How mXSS Attacks change everything we believed we knew so far

This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.

XSS from 1999 to 2013: The "Doctrine Classique" of WebsecurityXSS attacks were first documented about 15 years ago. Since then, theattack technique has undergone an evolution, that resembles theclassic dramatic theory - including catastasis, heroism, villainy andperipeteia.Now, HTML and JavaScript enter the world of operating systems and theXSS tragedy is on the verge of becoming a nightmare beyond humancontrol. The once harmless "alert" is now a black swan of codeexecution, the phantom of the browser, Gretchen and Mephistopheles atthe same time.This talk attempts to go back into the early past and unveil thecauses for XSS, point fingers at the true evil that made the Internetwhat it is today, outline our mistakes and the general failure of thefat-bellied websecurity community and try to leave the hope, that notall will be lost in the realms of the WWW.

Agenda [ENGLISH]

17:30 Event starts with a light snack and drink. A word from our sponsor Chalmers